Cypherpunks in Sportcoats: Chia’s Custody is a Killer App- January 17, 2023
On December 6, 2022 Timothy B. Lee had a guest post on Josh Barro’s Substack, “It’s time to get serious about regulating cryptocurrency.” He concluded, “Americans shouldn’t invest in cryptocurrency … because most Americans lack the technical skills required to do it safely.”
He is correct about the current state of the solution that people experience today on Ethereum and Bitcoin. At Chia, we recognize this and provide a rich toolbox to make flexible custody ultimately easier to use than passwords on the internet or your current bank account.
Intuitive custody, without 24 words
While many individuals worry about having their private keys stolen—and it does happen—you’re far more likely to simply lose access to your wallet. When planning for an organization instead of an individual, the likely reason you’d lose a quorum of keys is employee or volunteer churn.
The tools I will outline below can protect you from these concerns. If you lose access to your hot hardware you can just use the warm to recover the coins and rekey in a new hot hardware key. Sick of your bank or worried they might try to rug? You can take them off at any time and choose a new one. Even if they do try to rug, you have plenty of time to take your assets back. And if you’re still paranoid, you still have the option of backing up your 24 words to one or both of the hot or warm hardware keys.
Custody is the most contentious problem in blockchains and crypto today. And, it requires a deeper dive into the technology to get to the crux of the needs.
Custody limitations of Bitcoin and Ethereum
The difficulty of custody in Bitcoin and Ethereum has held back mass adoption, caused massive centralization of both validation and asset storage, and led to a string of calamitous failures of centralized infrastructures—most recently, the rug pull that was FTX.
Technologically, Bitcoin has the better precursor environment to build real custody solutions on as EVM and the account model used in Solidity on Ethereum can potentially replicate these solutions, but it’s a difficult lift that requires more trust in developers and is much harder to audit and reason about. The UTXO or Coin model is better at enforcing on-chain custody.
The lack of good custody tools led to extreme centralization in both Ethereum and Bitcoin. Delegating staking to centralized entities is easier and more profitable than running a validator yourself. Smoothing out of Bitcoin mining rewards led to the dominance of four central pools that make the majority of blocks. The Nakamoto Coefficient is the minimum number of people one would have to round up to be guaranteed to make the next block. The idea behind the Coefficient is straightforward. Every decentralized system consists of subsystems. By determining how many entities in each subsystem one needs to control, one can make reasonable assumptions on the degree of effective decentralization in a network. The higher the value of subsystems one needs to control, the higher the decentralization. For ETH, it looks to be 1 or 1 or 2, and for BTC, 4. But in Chia, it’s 50+.
Highly decentralized pooling rewards with Chia custody
That’s because we use one of our key custody primitives to decentralize pooling rewards. By default, in Chia, ⅛ of farming rewards are given directly to the farmer and ⅞ to either the farmer or her opt in pool. Farmers, when creating their plots initially, commit the ⅞ reward to a singleton—also known as an NFT—but the term vault is best here. At first, this vault takes custody of ⅞ of the farming rewards when the farmer wins a block. It’s up to the farmer to claim her pooling rewards from her pooling vault once in a while. However, the farmer can manage the vault and join a pool by committing her vault to a pool.
Here’s where advanced custody rules come into play. Pools need to know that a farmer can’t just go and grab her pool reward shortly after winning it and before the pool can spend it into the common pool wallet. Farmers need to be able to leave because pools can rug pull, or they can have severe outages. Here we use timelocks in the vault so that the pool has a period of time where they can exclusively spend out of the farmer’s vault, and then after that either the pool or farmer can claim that reward. Pools can’t stop a farmer from committing her vault back to herself or another pool, but she can’t do it faster than the pool can collect what may be due. This way, farmers keep making the blocks while using advanced custody to work with decentralized pools that smooth their rewards.
Bitcoin could have decentralized pooling, which would likely increase its Nakamoto Coefficient to 20+, but the best implementation would require adding more opcodes or just biting the bullet and implementing a Bitcoinlisp like Chialisp. It’s a shame that most outside of the actual Bitcoin developers don’t understand the decentralizing power this class of functionality enables. The debate about how or even whether to add this additional functionality chilled the development of new capabilities for money and assets to Bitcoin. This lack of advanced custody is firmly at the bottom of most raging Bitcoin arguments and has the de facto outcome of driving normal users to centralized exchanges where they keep getting rugged.
Introducing Chia Vaults for more control
In Chia, we plan to have classic wallets like as one uses with Bitcoin or Ethereum today, but we’re adding vaults into that mix. A wallet still controls vaults (really just a set of private keys), but their logic remains on the chain instead of coming up through the software that runs the wallet.
When a wallet spends today in Chia, it is possible to set some restrictions on what the created coin can do the next time someone wishes to spend it – this is how singletons get made in the first place. There are restrictions that wallet users and vault users will want to mix and match to make secure and manageable custody a reality. A vault can house almost any asset on Chia and can manage that asset class or specific asset differently, even down to which key of a 1 of 3 shows up to do something with it.
The way to think about this is that you might want your ability to spend up to a rate-limited amount of Chia per day with your hot key, but it can’t spend your NFT collections at all. Only the warm wallet can, and that will enforce a 24-hour clawback on all NFT spends.
For each step in the custody process, one can add restrictions when spending a coin or create a pre-committed time limit on how a coin can be spent. These are not mutually exclusive – one can do both or multiple versions of each on any given spend.
Added protection for NFT transactions and more
What are the risks of managing your private keys? What aren’t? Today’s status quo is that you have a hardware device like a Ledger Nano X and a backup of the seed phrase on a piece of paper or steel. The steel is a complete pain, but it protects against a prime set of risks— a fire takes your backup or other types of bitrot make it so you can’t get to your keys anymore. Just ask the guy searching for his BTC millions in a landfill. The other type of bitrot is that hardware can just fail on you or get dropped in the deep ocean.
The two big transaction risks in crypto ecosystems are escrow fraud and people socially engineering your private keys to e.g. steal all your NFTs and then immediately sell them to existing offers out there, pocketing the profit. We believe Chia Offers has effectively vanquished the former, and we’re here to talk about the latter.
With Chia, one can add a 1-hour clawback to all of their NFT collection that would let one of your two other keys, in a 3 key setup—always be able to get your NFTs back for that period. For lower frequency transactions like NFT trades, having your counterparty know you sent it, but also know it won’t be theirs yet for an hour, is a small price to pay to know that you can recover from that “oh bleep” moment when you realize you were scammed/hacked. Note that the new owner has high confidence that the NFT is hers after the timelock because the original transaction will be deeply buried on chain too.
Chia best practices for individual and institutional custody
These days the very best setup for most regular users is a 3 key strategy leveraging two hardware devices and an institution. The idea is that your hot key or primary wallet can spend most assets pretty immediately. Your warm wallet goes into your safe. It can’t spend anything without having a 48-hour clawback in favor of your hot key (but it can immediately spend clawbackable assets sent by the hot wallet.) The hot key can take the drop coin that the warm backup creates and spend it to a new wallet or vault at any point during those 48 hours. You’ll want a watchtower app to warn you that someone stole your warm backup and probably watches for spending. Users may also want to rate limit their hot key, but that generally requires a fourth key that’s low risk and only guards against the warm wallet being stolen and used to take the hot wallet’s funds that remain rate-limited. For a bit more security, that fourth key can also be the only place the various clawbacks above can go.
What about the institutions you are adding to this mix? Imagine a bank or crypto custody partner that offers virtual safe deposit boxes. You subscribe to them for $10 a month, and they promise never to use the key that you both agree upon until you show up and verify it’s still you or a real legal alternative to you (think surviving spouse or power of attorney.) If you do show up, you hand them a new vault or wallet address to send all the funds in the other two to anywhere you want. But, there will be a two-week time delay during which either of the other two keys can instead pull those funds and put them into a new wallet. No more rogue trustees. All of this is enforced by the chain and on the chain.
As an important aside, those two hardware wallets look an awful lot like the two hardware keys you should be using to secure your email account. Keeping people in the habit of using the same security tools often to authenticate their email accounts and their blockchain transactions leads to far less bitrot.
Enterprises and DAOs can build even more functionality with these tools. Having spending require 2 of 2 is a great way to enforce role separation. Enterprises can use this exact same end-user toolset to authorize things that happen off-chain – like logging into services or approving a wire in general ledger software. We are using most of these primitives already to secure our prefarm, and we will be making these tools much more human-friendly during the first half of 2023.
We are moving to a future where having extremely high security feels more like ultra-secure car keys (don’t get me started about how insecure actual car keys are), and less like carrying $100 bills in a brown paper sack in a dangerous part of town. This future is far more secure than the one we live in today, and it adds security to far more than just financial assets. It is one of the key reasons blockchains will be adopted for real world use cases.